Zero-day attacks, polymorphic code, and signature-based evasion techniques prevent us from proactively protecting enterprise environments from modern-day malware. The generally accepted norm is that signature-based detections are, at best, 80% effective. But that percentage is deceptive. The remaining 20% typically represents a more advanced blend of threats driven by insidious intent.
Click Security RtSA Response
Our broad perspective of the environment is obtained through a diverse set of telemetry data. The core of our product is made up of normalized, elemental data in the form of flow, authentication, access and security information. Each of these events is associated with an entity or actor, which can be a device, user or process capable of performing an action. Identifying and tracking authentication, access, and network flow events at this fundamental level allows us to start building a digital fingerprint of ‘normal’ on a per actor or resource basis. In doing this, it makes it easy to identify abnormal activity, even though it may not have been fingerprinted as ‘malicious’ by existing signature-based detections.
As an example, let’s consider “George”.
The fact that George started accessing a private area on a human resources (HR) file server may not seem malicious. If however, we had enough perspective to know that George worked as an intern in manufacturing, it might seem a little more suspicious. If we knew more about George’s ‘behavioral fingerprint’, we would realize that he has never accessed this HR asset before, and that other characteristics of his authentication, resource accesses and network flows were also behaviorally anomalous. Compounding these insights, there’s no doubt that something suspicious is under way. We haven’t matched a malicious signature, nor have we observed what we know to be an actual attack. It could be that a compromise has occurred and we are observing reconnaissance. It could also be that an attack is occurring, based on a zero-day threat that is undetectable by signature-based systems. Or, it could be that George has gone rogue and is using the trust and access he’s built within the firm to steal intellectual property.
Further, with Click, not only can we profile George; we can also profile the HR asset itself. With an administrator's help, the Click system can identify certain resources as higher value than others. As an example, from the above we can surmise that George is doing something unusual. But George might be new to the company. Or if he works in manufacturing, perhaps he just doesn't use the computer that much, so our “George profile” is still insufficient in and of itself. However, we have developed a strong profile of the HR asset over time. As a result, we know that only Betty and Thelma ever access this particular asset. Now, when we see George poking around in this asset, significant alerts will fire.