{"id":1945,"date":"2025-02-14T06:00:00","date_gmt":"2025-02-14T06:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=1945"},"modified":"2025-02-14T06:00:00","modified_gmt":"2025-02-14T06:00:00","slug":"what-is-anomaly-detection-behavior-based-analysis-for-cyber-threats","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=1945","title":{"rendered":"What is anomaly detection? Behavior-based analysis for cyber threats"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Anomaly detection is an analytic process for identifying points of data or events that deviate significantly from established patterns of behavior. In cybersecurity, anomaly detection is one of the top defensive skills organizations should consider fine-tuning to ensure they can detect and remedy adverse cyber events quickly before they take root and proliferate.<\/p>\n

The concept of anomaly detection in cybersecurity was introduced by mathematician Dorothy Denning \u2014 who also pioneered the idea of encryption lattices \u2014 in a landmark 1987 paper entitled \u201cAn Intrusion-Detection Model<\/a>.\u201d Since then, infosec practitioners and cybersecurity vendors have incorporated Denning\u2019s concepts into their defense techniques, practices, and products.<\/p>\n

\u201cAnomaly detection is the holy grail of cyber detection where, if you do it right, you don\u2019t need to know a priori<\/em> the bad thing that you\u2019re looking for,\u201d Bruce Potter, CEO and founder of Turngate, tells CSO. \u201cIt\u2019ll just show up because it doesn\u2019t look like anything else or doesn\u2019t look like it\u2019s supposed to. People have been tilting at that windmill for a long time, since the 1980s, trying to figure out what normal is so they can look for deviations from it to find all the bad things happening in their enterprises.\u201d<\/p>\n

The challenge for CISOs now is to know and understand where adverse events are already getting detected in their existing mix of security vendor products. Then, if appropriate, CISOs should consider elevating their anomaly detection game to give their security teams even greater power to detect troubling trends, all while shielding them from alert fatigue.<\/p>\n

What are anomalies?<\/h2>\n

Anomalies are any deviations from routine behaviors or events within a system or network, such as a sudden spike in traffic, high activity on a server when that server should be idle, or a surge in traffic from IP addresses not typical for a particular asset. Quickly identifying outlier events can help cyber teams glean early signals of a potential attack unfolding.<\/p>\n

Matt Shriner, global threat management partner and portfolio leader at IBM Consulting, tells CSO that, like all cybersecurity-related firms, IBM almost always associates anomalies with security threats. But, Shriner says, \u201cnot all anomalies are bad. Some anomalies may highlight opportunities for architectural optimization or improving business strategies, such as adapting to retail seasonal behavior changes.\u201d<\/p>\n

The role of cybersecurity tools in anomaly detection<\/h2>\n

Although predicated on advanced math concepts, anomaly detection, or as the NIST Cybersecurity Framework 2.0<\/a> calls it, \u201cadverse event analysis,\u201d has over the past two decades been incorporated into a wide range of cybersecurity tools, including endpoint detection and response (EDR)<\/a>, firewall, and security information and event management (SIEM)<\/a> tools.<\/p>\n

\u201cIn general, you can split the detection universe into two halves,\u201d Potter says. \u201cOne is finding known bads, and then one is finding things that might be bad. Known bads are typically like a signature base where I know very specifically if I see this file or this exact thing happened on the system, it\u2019s bad.\u201d Known bads are typically flagged by fundamental cybersecurity tools<\/a>.<\/p>\n

\u201cIf you buy a firewall today from even the lowest kind of vendors, they\u2019re going to have some sort of anomaly detection,\u201d David Brumley, CEO of ForAllSecure, tells CSO. \u201cIt\u2019s going to be at maybe the network layer, or a commonplace is WAFs [web application firewall] for intrusion detection. It\u2019s like, \u2018Hey, this looks like a bad SQL injection packet.\u2019 It\u2019s something that CISOs don\u2019t have to focus on.\u201d<\/p>\n

Potter points out that EDR systems catch most, if not all, known bad anomalies at endpoints. \u201cMost organizations, to be blunt, have solved the endpoint security problem,\u201d he says. \u201cIf you\u2019re reasonably competent, you have an EDR. If something gets through one of them, it\u2019s just kind of a fluke.\u201d<\/p>\n

Andrew Krug, head of security advocacy at Datadog, singles out SIEM as security teams\u2019 primary means for detecting anomalous behavior in their infrastructure today. \u201cIf you don\u2019t have a facility like this, you have no way to know that something\u2019s gone wrong,\u201d he says.<\/p>\n

Alert fatigue poses a significant challenge<\/h2>\n

No matter how conceptually elegant the idea of detecting anomalies might be, \u201cthe reality is it tends to be very high in both false positives and false negatives, and you spend time chasing your tail on things that aren\u2019t bad and then things that are bad fly under the radar, and you totally miss them,\u201d Turngate\u2019s Potter says.<\/p>\n

To avoid this, security operations center (SOC) personnel can set criteria to minimize false reports, \u201cwhich means you\u2019re typically more likely to detect true oddball anomalies, but you\u2019re going to miss stealthy attacks,\u201d ForAllSecure\u2019s Brumley says.<\/p>\n

On the other hand, allowing reports to fly free without filters can burn out workers. \u201cOne of the things that we talk about a lot when it comes to alerting systems is alert fatigue,\u201d Datadog\u2019s Krug says. \u201cIf the SIEM generates too many alerts and folks are constantly running down low-value alerts, spinning up investigations, they\u2019re not going to enjoy working with that product.\u201d<\/p>\n

SOC staff who work with alerts have \u201cone of the toughest jobs in cybersecurity,\u201d Krug adds. \u201cIt has, I think, the shortest tenure of any of the roles. Folks don\u2019t survive long in the SOC because they\u2019re buried in alerts. Their quality of life isn\u2019t high. Giving those people the ability to say, \u2018This alert\u2019s not working for me,\u2019 and have them participate in tuning is a massive part of building an effective detection strategy.\u201d<\/p>\n

How CISOs can up their detection game<\/h2>\n

Standard security tools do well in flagging and even remediating adverse events involving known bad anomalies. \u201cThe signature-based universe is pretty effective,\u201d Potter says. \u201cMost attackers are not reinventing the wheel and will do as little work as possible to reach their objective. If they can do the same thing a hundred times and are successful 10 times, it\u2019s probably good enough.\u201d<\/p>\n

But it\u2019s hard to train computers to look for bespoke anomalies, so teeing things up for human judgment can help in certain environments. \u201cIt\u2019s one thing to raise awareness and cause the alert to go, \u2018Hey, here\u2019s something squirrelly,\u2019\u201d Potter says. \u201cIt\u2019s another thing then for a human to have the signal in front of them to be able to say, \u2018Oh, yeah, that\u2019s really weird.\u2019\u201d<\/p>\n

But some experts caution against placing too much emphasis on human discernment, Datadog CISO Emilio Escobar tells CSO, \u201cMy advice to CISOs is to be open-minded about trying anomaly detection models when implementing their detection and response capabilities. With the emerging landscape of threats combined with the complexity of the IT landscape, we will always be playing catch-up if we try to do everything using human eyes or having to write direct code that handles anomalies.\u201d<\/p>\n

Several use cases for anomaly detection don\u2019t fit typical signature detections of typical industry-wide trends involving ransomware<\/a>, data exfiltration, or command and control signatures, IBM\u2019s Shriner says. These include insider threats, fraud detection, IT systems management, and more.<\/p>\n

But, before doing anything else, CISOs must first recognize they need the insights they can gain from more bespoke anomaly detection. \u201cWith a basic understanding of how that data knowledge can be used, in use cases like data exfiltration, compromised credentials, malware beaconing, and insider threats, organizations can then create a strategy for anomaly detection that fits their specific business case,\u201d says Shriner.<\/p>\n

Potter thinks organizations should seek balance when devising their custom anomaly detection programs. \u201cFor most organizations, you don\u2019t have time to tinker yourself to come up with some anomaly detection capability on your own,\u201d he says. \u201cThat\u2019s where I think organizations get into trouble. You\u2019re all in on signature detection, so if anything new happens, you\u2019re blind to it.\u201d<\/p>\n

But then, conversely, \u201cthere are companies that have been all in on anomalies. There are literally no signatures. It\u2019s just all math and AI and all this kind of stuff. And man, that can go wildly off the rails as well. So, I think when purchasing, you have to think about both. And the reality is most products, most mature products, are a reasonable combination of both.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Anomaly detection is an analytic process for identifying points of data or events that deviate significantly from established patterns of behavior. In cybersecurity, anomaly detection is one of the top defensive skills organizations should consider fine-tuning to ensure they can detect and remedy adverse cyber events quickly before they take root and proliferate. The concept […]<\/p>\n","protected":false},"author":0,"featured_media":1934,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1945","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1945"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1945"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1945\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/1934"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1945"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1945"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1945"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}