Establishing Baseline Behaviors (Part 14 of 20: CERT Best Practices to Mitigate Insider Threats Series)
The 14th practice described in the newly released edition of the Common Sense Guide to Mitigating Insider Threats is Practice 14: Establish a baseline of normal behavior for both networks and employees. In this post, I discuss the importance of considering data volume, velocity, variety, and veracity when establishing a baseline of network or employee behavior.
The CERT Division announced the public release of the fifth edition of the Common Sense Guide to Mitigating Insider Threats in December 2016. The guide describes 20 practices that organizations should implement across the enterprise to mitigate (prevent, detect, and respond to) insider threats, and provides case studies. The 14th of the 20 best practices follows. Practice 14 builds on Practice 12, which covers collecting and aggregating these observables.
Practice 14: Establish a baseline of normal behavior for both networks and employees.
To detect and identify anomalous behavior, an organization should know what regular, benign activity looks like for its employees and networks. An organization can model this baseline of normal behavior by looking at the technical, physical, and behavioral observables for its employees and organizational units.
A baseline of behavior information answers questions such as the following:
- What is normal file access?
- What is normal VPN activity for a given user?
- What is an average employee's work schedule?
- What is normal network activity for an organizational unit?
The first step to establishing a baseline is to identify what is being collected in the SIEM, including what tools are being used and what information is missing. This data aggregation process should be audited according to organizational requirements (at least annually) to ensure that the collection process accurately represents the types of behaviors the organization wants to detect.
When establishing baselines, organizations should consider the four Vs:
- Volume ‒ the size of data (How much data is collected? What is the retention policy per sensor?)
- Velocity ‒ the speed of data (How fast is the sensor generating data? What is an appropriate window or cycle for a baseline?)
- Variety ‒ the assortment of data types, such as structured (e.g., logs, email metadata) and unstructured (e.g., IM messages, video recordings) (What observables are missing? Is there an overlap in coverage?)
- Veracity ‒ the trustworthiness and intrinsic value of data (Do these features represent the model? Is the baseline being collected during a holiday period in which there is unusual activity?)
These Vs underscore the importance of identifying the capabilities and constraints of the sensors and technologies used for data collection. For instance, the data-retention policy for keystroke biometrics probably dictates a shorter timeframe for storage due to the velocity of the sensor. In contrast, printer logs typically accumulate data at a slower speed and are probably used for longer timeframes for storage. Organizations should integrate these Vs as guides to evaluate their data collection and baselining processes.
Deviations (anomalies) from the established baseline can indicate a possible security incident. Taken in the appropriate context, such abnormalities can provide technical indicators of potential insider attacks. Therefore, organizations should consider how to distinguish and alert on normal behavior from abnormal behavior and what attributes are missing that would provide situational context.
In summary, this best practice encourages an organization to identify the normal behavior of its environment. An organization should also configure devices and protocols to use only those services and alert on anomalies. Refer to the complete fifth edition of the Common Sense Guide to Mitigating Insider Threats for further information regarding this best practice.
Check back next week to read about Practice 15: Enforce separation of duties and least privilege, or subscribe to a feed of the Insider Threat blog to be alerted when a new post is available.