Behavioral analysis uses machine learning, artificial intelligence, big data, and analytics to identify malicious behavior by analyzing differences in normal, everyday activities.
Let’s Define Behavioral Analysis
Malicious attacks have one thing in common – they all behave differently than normal everyday behavior within a system or network. Companies can often identify malicious behaviors through signatures that are directly related to certain types of well-known attacks. However, as attackers get more sophisticated, they continually develop new tactics, techniques, and procedures (TTPs) that allow them not only to enter vulnerable environments, but also to move laterally undetected.
That’s where behavioral analysis comes in. With the help of massive volumes of unfiltered endpoint data, security personnel can now use behavioral-based tools, algorithms, and machine learning to determine what the normal behavior of everyday users is – and what it is not. Behavioral analysis can identify events, trends, and patterns – both current and historic – that are outside the parameters of everyday norms.
By zeroing in on these anomalies, security teams can gain visibility and identify unexpected behavioral tactics of attackers early on, before they fully execute their plan of attack. Behavioral analysis can also help uncover root causes and provide insights for future identification and prediction of similar attacks.
Unusual timing of events, abnormal sequences of actions, or increased data movement are just a few indications of malicious activity in an environment. Here are some specific examples of not-so-normal behaviors that could lead to the identification of an attack in progress.
- A link in a legitimate-looking file loads into memory, and then remotely loads a script to go after confidential data that is sent back to the attacker.
- Native system tools, such as Microsoft Windows Management Instrumentation (WMI) and Microsoft PowerShell scripting languages that typically would be considered highly trusted, are targeted to get scripts to run remotely.
Back in early 2016, the SANS Institute recognized the importance of behavioral analysis in a whitepaper, Using Analytics to Predict Future Attacks and Breaches. The author notes in the conclusion, “Leveraging more advanced data analytics platforms to take in more and different types of data, focusing on increased network threat visibility, and automating detection and response actions may help security teams now and in the future as they evolve to meet these challenges.”
Well, the future is now here, and in 2018, behavioral analysis is essentially a baseline requirement for advanced endpoint security. In fact, in its Magic Quadrant for Endpoint Protection Platform report, Gartner sees machine learning and behavior monitoring as strengths of visionaries and leaders. The report also notes that “The most visionary and leading of vendors in 2018 and 2019 will be those that use the data collected from their [endpoint detection and response] capabilities to deliver actionable guidance and advice that is tailored to their clients.”
17% of breaches in 2017 were caused by human error (as opposed to deliberate malicious intent.)
To fully unleash behavioral analysis, companies must take advantage of the cloud and its immense computational power, unlimited scalability, and ease of management. The cloud provides a proactive approach that combines big data with powerful analytics to help outsmart the latest, most threatening emerging attacks.
For example, the cloud enables streaming analytics, where normal and abnormal endpoint activity can be monitored and compared to any unfiltered historical endpoint data. By analyzing these event streams and comparing them to what looks like normal ones, the cloud creates a global threat monitoring system that not only detects attacks, but predicts ones that have never been seen before.
This powerful approach is simply not possible with traditional AV solutions, which are signature-based, but it is with next-generation antivirus (NGAV) software.
NGAV in the cloud offers bi-directional communication with endpoints, so that all unfiltered endpoint data can be monitored and turned into predictive analytics that proactively protects companies from sophisticated attacks.
Plus, the cloud provides the infrastructure benefits that most companies are already experiencing with other enterprise software – simplified, less costly operations, faster deployment, and the latest and most innovative technology.