Phone Number +1-202-802-9399 (US)

Thycotic is now Delinea!

The Lockdown

Thycotic’s Cyber Security Blog

Predicting Potential Threat: Behavior Analytics and Threat Modeling

Written by Thycotic Team

October 21st, 2014

Wouldn’t it be nice to be able to identify a potential threat before it happens? Learn how Secret Server uses threat modeling and behavioral analytics to discover and take immediate action on a threat, stopping an attacker in their tracks.

Threat Modeling

The term “threat modeling” has become quite popular lately as an upcoming major feature of software in the information security world – but what does this term mean for businesses looking to secure their data? Threat modeling is defined by OWASP as a process for capturing, organizing, and analyzing all of the information that affects the security of an application. This makes it easy to justify efforts in security and ensure that time and effort is spent in the right areas that have the highest risk to the company.

The trick with threat modeling is that it can be time-consuming and, if done by hired consultants, costly. Sometimes threats that were suspected to be high-risk end up being trivial, and the time spent looking into them is revealed to be time that could have been better spent. Because threat modeling can be a time-sensitive concept due to the way applications and infrastructures change, they may become quickly outdated or inaccurate even after small changes to either or when a new technology is added to the company. While threat modeling can be done by humans, the emerging trend is applications that handle threat modeling – by laying all of the security details out on the table, the application allows analysts to easily make decisions about the security of their infrastructures without having to manually identify threats and gather data.

Behavioral Analytics

Behavioral analytics are exactly what they sound like – the study of human behavior. You might ask how they are relevant to information security – think about the core needs of privileged account management. The majority of organizations do not have just one administrator with high levels of permissions; there are usually several admins that can serve the same role. It may become difficult, then, to track the exact cause of an incident that occurs within the company without extensive fine-grained logging.

Behavioral analytics in the world of information security aims to make this process simple by alerting administrators when behavior deemed unusual or suspicious occurs within the infrastructure. An example of suspicious behavior is a user who normally works 9AM – 5PM logs into a work computer at 3AM; the user should have no reason to do so and may be performing actions he does not want others to be aware of. Similarly, an example of unusual behavior is when an admin suddenly changes a policy that has not changed in 3 years. While these flags may be false positives (meaning the behavior that raised the alert was planned by the organization and not malicious), they save a lot of time and effort of going through logs by simply highlighting the most likely threats using a combination of user-provided data, collected logs, and preset algorithms. Logs will be used for the application to “learn” what behavior typically occurs on the network – which IP addresses machines are typically accessed from, which accounts are used often and which aren’t, and which accounts aren’t changed for long periods of time. The application would then flag actions that have not happened in a certain time period (say, a policy that has not been edited for 6 months but is suddenly changed by an admin).

Combining the Power of Threat Modeling & Behavioral Analytics

Secret Server has several features available to address the problems that behavioral analytics and threat modeling are used to detect. An admin can set event subscriptions on the vast majority of things that happen on or through Secret Server, including logins, views of a Secret, and configuration changes. Admins can opt to receive an e-mail alert when the specified events occur, and be notified of each time a sensitive Secret is accessed or shared with someone.

In addition, there are custom reports, which allow you to use SQL to define your own periodic notifications of events in Secret Server, such as which secrets were accessed in a folder in a given day, which users accessed secrets that they did not create, and which Secrets require approval to be accessed. Additionally, using the “Healthcheck” report will help to find anomalous conditions such as users that have logged into Secret Server outside of business hours in the last week or users that have accessed an abnormally high number of Secrets in a short period of time. Event subscriptions give instantaneous notice, while custom and “Healthcheck” reports give a log of events that happened over a specified time interval.

Secret Server supports SIEM integration for the system log and event subscriptions, meaning that any SIEM tool your company uses can be integrated with Secret Server as long as they support the CEF or Syslog formats. This is an important step for any company looking for strong threat modeling and behavioral analytics because it gives you a full view of potential threats. While you can see and be alerted on unusual behavior within Secret Server through our event subscriptions and custom reports, a SIEM tool can give you a comprehensive picture of threats by cross-referencing privileged account usage with office access, IP addresses, typical work hours, and much more. We partner with Splunk, LogRhythm, Solarwinds, Tenable Network Security and HP ArcSight for SIEM support, and include the ability to connect Secret Server’s audit data to any SIEM tool with Syslog support.