Opinion: Anomaly Detection is no Silver Bullet for Incident Response

Anomaly detection is a critical component of incident response, but its no silver bullet, says Alan Hall of BlueCoat Systems.
Anomaly detection is a critical component of incident response, but its no silver bullet, says Alan Hall of BlueCoat Systems.

In-brief: detecting anomalous behavior is a necessary part of incident response – but it’s also harder than it sounds, argues Alan Hall of BlueCoat Systems in this commentary.

In today’s evolving threat landscape, most organizations recognize that prevention alone is not enough to fend off potential threats. However, data breaches still often go undetected for weeks, months or even years. As the cost of breaches continues to rise – up 29 percent from 2013 according to a recent Ponemon reportenterprise leaders are under increased pressure to implement security solutions that are effective in detecting today’s advanced threats. Often traditional approaches, such as signature-based systems and network management tools used in silos, are not a sufficient means for detecting and ultimately preventing a breach before it causes significant harm. Even when using a security information and event management (SIEM) system, there’s simply too much information to sift through, making it humanly impossible to deal with the false positives and make sense of the viable threats specific to your organization.


Get the New 2017 SANS Research Report on 'Threat Hunting' -- Written by experts from the SANS Institute, the survey reveals a number of interesting data points about the challenges and benefits of threat hunting.


In order to effectively conduct incident response, IT security and incident response teams need to know which alarms matter to the organization — only then can they focus on the true threats facing their critical systems, applications, processes and data. Anomaly detection is about enabling incident response by giving security teams the ability to hunt for potential risks before a simple breech or unusual behavior escalates into a catastrophic event.

Why most anomaly detection falls short

Today, it’s not a matter of if but when a breach will occur. When an organization does experience a breach, it’s vital to obtain insights quickly to reduce the window of exposure. The incident response team is often tasked with manually monitoring dashboards and spotting simple anomalies. But, this process can be extremely time-consuming, and it’s easy for human error due to emotions and judgment to lead to ineffective and inaccurate results. In addition, a single metric will likely not indicate an advanced attack. While multiple metrics may very well identify an advanced attack, humans ultimately can’t hold enough related items in their memory.

Alan Hall is the Director of Product Marketing for Network Forensics and Incident Response at Blue Coat, now part of Symantec.
Alan Hall is the Director of Product Marketing for Network Forensics and Incident Response at Blue Coat, now part of Symantec.

Organizations often turn to rules and thresholds as early attempts at automation, removing some of the manual work involved in anomaly detection. However, this approach comes with its own unique set of challenges. For example, thresholds and rules are ineffective and of little use on periodic data. Additionally, the alerts this approach generates can also create a lot of unnecessary noise that distracts the attention of security information and incident response teams. Another automated approach is to use static models, which rely on supervised or trained machine learning. However, these static models pull in data that is often outdated and provide an inaccurate picture of the threat landscape.

When it comes to automation, information security and incident response teams need to consider what happens when the norm is no longer the norm – when an analysis baseline is set, it may get old within one month, one week or even one day, depending on the environment, changes in system configurations or user behavior. While response teams have some context for an alert, it can be challenging to know if they have the “right” context and if it holds true across the organization.

How Shadow IT is changing the game

Shadow IT and bring-your-own-device (BYOD) practices can also have a significant impact on implementation of an effective anomaly detection strategy. Transactions that previously wouldn’t be considered part of the network traffic — such as an employee connecting their personal tablet to the network, or an executive using Google drive or Box to store their work files — now need to be analyzed.

While network security was previously contained to the applications vetted and implemented by IT, the digital era has made the business environment much more complex. The network perimeter has expanded exponentially, with IT and incident response teams now having to worry about employees working from multiple devices (whether it be laptops, smartphones or tablets), connecting to multiple networks (office Ethernets, home broadband, VPNs, etc.) and using hundreds of applications (whether enterprise, consumer, productivity or social) that reside across a mix of corporate data centers and cloud service providers. This expanding perimeter introduces countless new endpoints that requires security teams to think differently about their approach to threat detection and prevention.

Best practices for anomaly detection

The first step toward achieving a comprehensive incident response program is to establish a baseline of normal behavior in the data. This helps an organization identify what normal network and cloud application activity looks like, so they can then identify abnormal activity.

Every organization is unique and constantly changing – often, moments after a baseline is determined, it can become inaccurate due to environmental changes. Therefore, companies need to understand their own behavior and establish context around the regular activity that occurs and alerts that are generated. Security professionals need to deploy technology that will maintain a dynamic baseline to reflect the changes in the organization.

Once you identify anomalous activity, it’s advantageous to have the means to quickly piece together the entirety of the events that led to an alert so you know the source and scope of an attack. Complete remediation is only possible when you have sufficient details and actual evidence of the attack – web pages, emails, IMs, files, executables, etc. – to enable a precise response. The SANS Institute recommends that organizations retain 30 days or more of network traffic to accomplish this.

While the above steps offer best practices for implementing an incident response solution using anomaly detection, understand that industry standards for anomaly detection are still developing. It’s all about identifying the best solution to meet the needs of their data, activity, patterns and ultimately threats. But, by analyzing historical network data to detect suspicious behavior, the incident response team can focus attention on anomalies that most likely represent actual threats specific to their unique organization.